Bug 1918808

Summary: Create SC with enable encryption: Page still gives option to click on "Allow Persistent Volume Claims to be expanded"
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Neha Berry <nberry>
Component: management-consoleAssignee: Alfonso Martínez <almartin>
Status: CLOSED CURRENTRELEASE QA Contact: Vishakha Kathole <vkathole>
Severity: low Docs Contact:
Priority: low    
Version: 4.7CC: akrai, almartin, anbehl, jefbrown, muagarwa, ndevos, nthomas, ocs-bugs, odf-bz-bot, skatiyar
Target Milestone: ---Keywords: Improvement
Target Release: ODF 4.12.0Flags: almartin: needinfo-
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.12.0-79 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-08 14:06:28 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Screencast of the selections in the Create storageclass page none

Description Neha Berry 2021-01-21 15:29:58 UTC 
Created attachment 1749434 [details]
Screencast of the selections in the Create storageclass page

Description of problem:
===============================

As seen in the attached screenshot and the screencast, when one clicks on Create STorage class and selects the RBD provisioner from drop down, user gets the option to "Enable Encryption".

When we select the Pool and Enable Encryption, following warning is shown in the screen:

>> Warning alert:Encrypted PVs cannot be cloned expanded or create snapshots.

But even though this message is reported in the screen, users are still able to select the checkbox and once created, the Storageclass has the "allowVolumeExpansion: true"

>>Allow persistent volume claims to be expanded

Version-Release number of selected component (if applicable):
==============================================================
OCP = 4.7.0-0.nightly-2021-01-19-095812
OCS = ocs-operator.v4.7.0-235.ci

How reproducible:
=================
Always

Steps to Reproduce:
=========================
1. With OCS installed, navigate to Storage->Storageclass->Create Storageclass
2. Select "provisioner: openshift-storage.rbd.csi.ceph.com"
3. Select the pool and the Enable encryption comes up on the screen
4. Click on Enable Encryption and you will see the message 
"Warning alert:Encrypted PVs cannot be cloned expanded or create snapshots."
5. But I am still able to click on the checkbox for "Allow persistent volume claims to be expanded" which is contradictory

Actual results:
==================
Even though the warning message says encrypted PVs cannot be expanded, then why do we allow users to select the checkbox for Volume expansion in the same Storageclass. 

Expected results:
======================
If users select Enable Encryption, then the checkbox for "Allow persistent volume claims to be expanded" should become mooted.

Additional info:
=====================
$ oc get sc test-kms-sc -o yaml
allowVolumeExpansion: true
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  creationTimestamp: "2021-01-21T08:05:03Z"
  managedFields:
  - apiVersion: storage.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:allowVolumeExpansion: {}
      f:parameters:
        .: {}
        f:clusterID: {}
        f:csi.storage.k8s.io/controller-expand-secret-name: {}
        f:csi.storage.k8s.io/controller-expand-secret-namespace: {}
        f:csi.storage.k8s.io/fstype: {}
        f:csi.storage.k8s.io/node-stage-secret-name: {}
        f:csi.storage.k8s.io/node-stage-secret-namespace: {}
        f:csi.storage.k8s.io/provisioner-secret-name: {}
        f:csi.storage.k8s.io/provisioner-secret-namespace: {}
        f:encrypted: {}
        f:encryptionKMSID: {}
        f:imageFeatures: {}
        f:imageFormat: {}
        f:pool: {}
      f:provisioner: {}
      f:reclaimPolicy: {}
      f:volumeBindingMode: {}
    manager: Mozilla
    operation: Update
    time: "2021-01-21T08:05:03Z"
  name: test-kms-sc
  resourceVersion: "615579"
  selfLink: /apis/storage.k8s.io/v1/storageclasses/test-kms-sc
  uid: be176785-fec8-491e-aca8-03851fb39364
parameters:
  clusterID: openshift-storage
  csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
  csi.storage.k8s.io/controller-expand-secret-namespace: openshift-storage
  csi.storage.k8s.io/fstype: ext4
  csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
  csi.storage.k8s.io/node-stage-secret-namespace: openshift-storage
  csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
  csi.storage.k8s.io/provisioner-secret-namespace: openshift-storage
  encrypted: "true"
  encryptionKMSID: 1-VAULT
  imageFeatures: layering
  imageFormat: "2"
  pool: ocs-storagecluster-cephblockpool
provisioner: openshift-storage.rbd.csi.ceph.com
reclaimPolicy: Delete
volumeBindingMode: Immediate
Comment 3 gowtham 2021-01-27 10:47:59 UTC 
Hi,
  I have discussed this issue with Ankush. "Allow persistent volume claims to be expanded" a check box is a generic option for all SC provisioned type. It is not an OCS specific option. Instead of hiding this checkbox only, we have that warning message.

Ankush please connect me if I am wrong here.
Comment 5 gowtham 2021-01-27 14:00:07 UTC 
(In reply to gowtham from comment #3)
> Hi,
>   I have discussed this issue with Ankush. "Allow persistent volume claims
> to be expanded" check box is a generic option for all SC provisioner type.
> It is not an OCS specific option. Instead of hiding this checkbox only, we
> are have this warning message.
> 
> Ankush please correct me if I am wrong
Comment 6 Ankush Behl 2021-01-27 14:34:24 UTC 
Is it a generic Cavite/feature for all the storage provisioners if the encryption is enabled then expansion, clone, and snapshots are not supported from CSI?

I think the best way to do is generic to all provisioner(if possible). Right now the expansion is available even this box is not checked in storage class creation page and I think its a bug on OCP side to fix and likewise, if this is same with behaviour with another provisioner for encryption then we can achieve this generically. But needs to be planned for the next release(4.8).

Also, I think CSI should block the reconcile if this can't be achieved as expansion can happen manually as well.
Comment 7 gowtham 2021-01-28 07:18:09 UTC 
As Ankush told, I can see the same issue with other provisioners also. It needs to be fixed on the OCP side.
Comment 8 Niels de Vos 2021-02-01 08:43:31 UTC 
We plan to add this functionality to Ceph-CSI for OCS-4.8, see https://github.com/ceph/ceph-csi/issues/1469

If the procedure is blocked by OCP, we will need to follow-up on that too. Please provide a link to the bug/feature in that case.
Comment 9 gowtham 2021-02-04 08:23:34 UTC 
Fix required some changes in the existing extension, Need to discuss how to fix this issue on other provisioners also.

Since Ceph-CSI is targetting this functionality for 4.8, I would suggest moving this bug fix for 4.8.
Comment 10 Nishanth Thomas 2021-06-11 04:49:08 UTC 
*** Bug 1970351 has been marked as a duplicate of this bug. ***